Feeds

Paper clip attack skewers Chip and PIN

Tapping up

SANS - Survey on application security programs

Updated UK researchers have uncovered a serious flaw in the Chip and PIN machines that authenticate debit and credit card transactions.

Two of the most popular PIN entry devices (PED) in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a "tapping attack", using nothing more sophisticated than a paper clip, a needle and a small recording device.

This basic kit enabled University of Cambridge Computer Labs researchers to record data exchanged between a card and the device's processor without triggering tamper-proofing mechanisms. The devices analysed by the team were borrowed from merchants, but they can also be purchased online for as little as $20.

In a technical paper (PDF) the researchers explain that in both PIN entry devices they examined the secure storage for cryptographic keys is well protected. However, in each case it is possible to tap the data line between the card and the PIN Entry device's processor. The data exchanged on this line is not encrypted so the problem becomes one of getting physical access to the link and of hiding this covert snooping.

The Ingenico PED includes 1mm holes that provide access to a printed circuit board using a bent paper clip. "This can be inserted through a hole in the plastic surrounding the internal compartment, and does not leave any external marks," the Cambridge researchers explain. Handily the Ingenico PED provides a concealed compartment designed for the insertion of optional SIM-sized cards to expand its functionality. The compartment is not intended to be tamper-proof and provides a concealed compartment to hide the wiretap, if not direct access to the circuit board.

The Dione PED does not provide a concealed compartment to hide the wiretap, but is still vulnerable. The Cambridge researchers drilled a 0.8mm hole from the rear, through which they inserted a 4 cm needle into a flat ribbon connector socket. A thin wire connection from this link and interfaced by a small board could be used to send entered data to a laptop.

The Cambridge researchers conclude that the attack is far easier to pull off than the banking industry claims.

What should have required $25,000 needed just a bent paper clip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice. A small FPGA or microcontroller board with some non-volatile memory can easily fit inside the Ingenico PED’s compartment and record transaction details without the cardholder’s knowledge, while a wire routed from the back of a mounted Dione PED to a recorder under the counter will not be detected unless the cardholder conducts a very close inspection – and knows what to look for.

The recording circuit can be very small and either battery operated or attached to the PED’s power supply; with a full transaction requiring about 1 kB of storage, even a small memory can record thousands of transactions. Detecting such a tap from within the PED is extremely difficult, since high input impedance probes do not significantly distort signals, and proper termination suppresses reflections.

"This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED," the Cambridge researchers note.

A demo of the attack (video here) featured on UK news programme Newsnight on Tuesday.

It gets worse. To ensure backward compatibility, PIN entry devices read data on magnetic strips, as well as on chips on newer credit cards. Hackers tapping into the link between a card and the processing device could get all the data needed to make a cloned card. Add in the corresponding PIN, and fraudsters could withdraw cash at the many ATMs overseas not upgraded to read chips and therefore solely reliant on easily-fakeable magnetic stripes.

Tampered PIN entry devices have already been used for fraud. Last December, £80,000 was stolen from 1,500 people in Leicestershire when crooks cloned their cards using a doctored device in a local petrol station.

The process to determine PIN reader security is substandard, the Cambridge team argues. Evaluation should be more open and defective devices should be refused certification, they say..

The Cambridge Chip and PIN scenarios pose little threat in the real world, according to APACS, the banking association which spearheaded the introduction of Chip and PIN in the UK. "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out," a spokesman said.

Ross Anderson, a member of the research team and professor of security engineering at Cambridge, said: "The lessons we learned are not limited to banking. Other fields, from voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities. Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."

The Cambridge team presents its findings in full in May at the IEEE Symposium on Security and Privacy conference in Oakland, California. Anderson's colleagues are Saar Drimer and Steven Murdoch. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.